Five SAFECode board members visited Washington DC earlier this month and met with representatives of the US Federal government interested in cybersecurity. With the growing awareness amongst policy makers of the importance of software security assurance and its critical role in cybersecurity, it is important to further educate policy makers on this complex issue and industry best practices in this space.

Effective cybersecurity policy development depends on active stakeholder engagement. To that end, we spent quality time with senior staff from Congress, the Administration, and independent regulatory agencies, explaining the role of software security assurance in cybersecurity. We briefed our audience about the core SAFECode principles and the resources SAFECode has built to advance adoption of secure software development practices.

It was very encouraging to see the level of awareness of software security by shown by our audience, and their active engagement in terms of the questions they asked. Everyone understood that all software has errors and that a small subset of these errors result in software vulnerabilities.

We explained how secure software development is the result a holistic process and how there is no silver bullet to achieve software security assurance. We also underscored the knowledge gap of software professionals, who, even when they have a computer science degree, have limited exposure to secure development practices as part of their software engineering education.

Finally, we outlined the resources created by SAFECode, which are available to key software security stakeholders:

There was high-praise for SAFECode’s contribution to promoting best practices for developing and delivering more secure and reliable software, and for advancing the understanding of the role of secure software in a broader cybersecurity strategy.

SAFECode also had the opportunity to present at the Software and Supply Chain Assurance Forum. SAFECode briefed the audience on the forthcoming updates to the “Fundamental practices of secure software development” paper and reminded the audience of the other relevant resources SAFECode has including the “Principles of Software Assurance Assessment” and the training modules.

Overall, it was a very productive trip, with a very attentive and engaged audience. SAFECode looks forward to continuing to serve as a resource to global policy makers on software security assurance.